Effects of detector efficiency mismatch on security of quantum cryptosystems 
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We suggest a type of attack on quantum cryptosystems that exploits variations in detector effi- 
ciency as a function of a control parameter accessible to an eavesdropper. With gated single-photon 
detectors, this control parameter can be the timing of the incoming pulse. When the eavesdropper 
sends short pulses using the appropriate timing so that the two gated detectors in Bob's setup have 
different efficiencies, the security of quantum key distribution can be compromised. Specifically, we 
show for the Bennett-Brassard 1984 (BB84) protocol that if the efficiency mismatch between and 
1 detectors for some value of the control parameter gets large enough (roughly 15:1 or larger). Eve 
can construct a successful faked-states attack causing a quantum bit error rate lower than 11%. We 
also derive a general security bound as a function of the detector sensitivity mismatch for the BB84 
protocol. Experimental data for two diff'erent detectors are presented, and protection measures 
against this attack are discussed. 
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I. INTRODUCTION 



Quantum cryptography enables secure communication 
between two parties Alice and Bob, given a quantum 
channel and an authentic public channel [l|, [3, • The 
security is guaranteed by the laws of quantum mechan- 
ics d, H, 0) Hi rather than assumptions about the re- 
sources available to a potential adversary. Although the 
protocol for secret key distribution, quantum key dis- 
tribution (QKD), can be proved secure in principle, in 
the real world the system is not perfect. Flaws in the 
source and/or detector may be exploited by an eaves- 
dropper (commonly called Eve) to collect information 
about the key without being discovered. Intuitively, it 
seems clear that when the imperfections are sufficiently 
small, the QKD protocol may still be secure. The impact 
of several imperfections has been discussed previously, 
and corresponding security bounds have been established 

Before we go on to consider a specific detector im- 
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FIG. 1: Set of all possible input signals for a secure system. 
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perfection, let us discuss the place of our studies in the 
picture of security. For any system where security is re- 
quired, the set of all possible input signals can be divided 
into three subsets (Fig. [T]). The subset A are the input 
signals for which the system is guaranteed to function 
normally (e.g., for a key distribution system, generate 
a secret key). The subset C are the input signals for 
which the system fails to perform the required function 
explicitly (e.g., fails to generate the secret key and alarms 
legitimate users about it). The subset B are input signals 
for which the system behaves in a way the developers are 
not quite sure about, thus potentially including subver- 
sions by a third party (e.g., generation of a key known 
to Eve while not raising an alarm). The last subset ide- 
ally should not exist and subsets A and C should ideally 
border one another, or at least the developers should be 
reasonably sure they do. 

With classical digital systems requiring security, input 
data are binary strings, and the situation where the sys- 
tem is reasonably guaranteed to have empty subset B 
is achievable. For example, implementations of common 
cryptographic primitives are usually known to be reason- 
ably secure. However, developers of protocols and appli- 
cations with more complex functionality (e.g., most soft- 
ware for personal computers) often release them knowing 
that the subset B is likely nonempty; successful attacks 
would be found with time, and closed by applying patches 
on an ad hoc basis. The latter situation is clearly not ac- 
ceptable for QKD. 

The problem is that input data for Bob in a QKD sys- 
tem are not binary strings which are well defined and 
could be directly checked by an algorithm running on a 
classical computer. The input data for Bob are states 
of light that we, at the present level of technology, are 
having considerable difficulty detecting at all, and that 
have more degrees of freedom than binary data. This 
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makes the important task of developing a complete se- 
curity proof (and building a QKD system that fully cor- 
responds to the model in the proof) intricate. We con- 
tribute to this effort by first showing that the subset B is 
still nonempty in the currently used model: some subset 
Bi of input light states exists that results in a compro- 
mise of security, or that has merely not been considered 
before. Then, we try to find ways to expand the subsets 
A and C to cover Bi via both extending the model in the 
proof and suggesting modifications to QKD setups. 

More concretely, we will consider a specific imper- 
fection at the detector; a mismatch in detector timing 
that occurs in most practical implementations of QKD 
over optical fibers. Most of today's quantum cryptosys- 
tems operating in the 1300 and 1550 nm telecommunica- 
tion windows use gated avalanche photodiodes (APDs) 
as single-photon detectors. The detector is sensitive to 
an incoming photon for a short time (a few nanoseconds) 
called the detection window, and has practically zero sen- 
sitivity outside the detection window. The systems op- 
erate in a pulsed mode, where the expected time of pho- 
ton arrival is synchronized with the middle part of the 
detection window. The systems have at least two sepa- 
rate detection windows or two separate detectors at Bob's 
side (for and 1 bit values). These detection windows, 
while both covering the time when the photon comes, 
are inevitably shifted relative to each other, due to finite 
manufacturing tolerances. The shift may arise due to 
small optical path length differences or wire length dif- 
ferences, as well as other imperfections and variations in 
the detector electronics. Although the detector sensitiv- 
ities might seem well matched when characterized with 
Alice's pulses, there may exist rapidly varying differences 
at the edges that can only be resolved with extremely 
short pulses. 

Eve may exploit a detector timing mismatch by using a 
version of the so-called faked-states attack [l^] . A faked- 
states attack on a quantum cryptosystem is an intercept- 
resend attack where Eve does not try to reconstruct the 
original states, but instead generates (quantum mechan- 
ical or classical) light pulses that get detected by the 
legitimate parties in a way controlled by her while not 
setting off any alarms. In this case, she may adjust the 
timing of her states in order to change the sensitivity of 
the detector relative to that of the 1 detector, and vice 
versa. By using very short pulses she may take advantage 
of any rapidly varying features in the detector sensitivity 
curves not visible to Alice and Bob. 

The paper is organized as follows. In Sec. II we in- 
troduce the faked-states attack in the "ideal" case where 
either detector can be totally blinded on Eve's choice. 
This attack gives Eve full information about the key while 
Bob registers no increase in the quantum bit error rate 
(QBER). In Sec. Ill we derive efficiency figures of a prac- 
tically possible intercept-resend attack in a more realis- 
tic situation with partial efficiency mismatch. Section 
IV contains a discussion of the security for any eaves- 
dropping attempts. Measurements of detector sensitivity 



curves for two different detectors are presented in Sec. V. 
Finally, we discuss protection measures against this at- 
tack and conclude the paper in Sec. VI. Although the 
attack is exemplified using the Bennett-Brassard 1984 
(BB84) protocol [1], other protocols that use four states 
in two bases may also be vulnerable. 



II. TOTAL DETECTOR SENSITIVITY 
MISMATCH 

To explain the attack, let us consider an ideal case 
when the detector sensitivity curves are significantly 
shifted in time relative to one another, so that time zones 
exist when one detector is completely blind while the 
other remains sensitive. Such a situation is depicted in 
Fig. [2l The figure also shows the last part of the scheme 
with a Mach-Zehndcr interferometer, a scheme example 
on which we will consider this attack.^ During normal op- 
eration, Alice's pulse (denoted "Normal signal" ) is timed 
to the middle of the detector sensitivity curves, and both 
detectors are sensitive to it. Now if Eve mounts a faked- 
states attack, she cuts into the line and measures Alice's 
quantum states (choosing the basis randomly), and re- 
places them with faked states. She can construct faked 
states of pulses shifted in time to the sides of Bob's de- 
tector sensitivity curves, so that only one of the two de- 
tectors can fire in each case (the other one is blinded by 
timing). Thus she can set her bit value for Bob. Unlike 
the bit value, she has no direct control over which basis 
Bob applies with his phase modulator. However, Eve can 
make sure Bob never detects anything if he chooses a ba- 
sis incompatible with Eve's measurement (which happens 
randomly in 50% of the cases). To do this, she sets the 
relative phase of the pulses in the two arms of the interfer- 
ometer such that, if Bob chooses an incompatible basis 




Eve's Normal Eve's t 
'0' only signal '1'only 



FIG. 2: Bob's part of the setup. Bob chooses the basis with 
the phase modulator (PM) . The large detector efficiency mis- 
match is shown on the plot to the right. 



Although a scheme with phase encoding is given as an example 
in Sec. II, the attack and all obtained results equally apply to 
polarization encoding, owing to the formal isomorphism between 
the two encodings 
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and applies the corresponding phase shift to his phase 
modulator (PM), the interference outcome at the 50-50 
coupler (BS) leads all light toward the detector that is 
blinded by timing. If, however, Bob chooses another ba- 
sis (compatible with Eve's), the interference outcome at 
the coupler will be 50%-50% and the other detector will 
click. This trick works because, with today's components 
and transmission lines. Bob detects only a small fraction 
of the photons sent by Alice. The click at Bob's detector 
in the case of attack occurs with a reduced probability, 
but Eve can easily compensate by increasing the bright- 
ness of her faked states and thus keeping Bob's average 
detection rate the same as before mounting the attack. 
It is also easy to see that the bit statistics obtained by 
Bob is the same as that obtained in the absence of the 
attack. As you see, Eve now gets a complete copy of the 
key, and remains hidden. 

The case of total detector sensitivity mismatch is not 
only convenient for explaining the principle of the attack, 
but can also occur in practice, as the experimental data 
later show. However, much more common and, indeed, 
unavoidable in reality would be the case when the detec- 
tor sensitivities vary relative to each other in time but 
the ratio between them does not get very large. The im- 
plications of this property of detectors for security are 
analyzed in the rest of the paper. 



III. PARTIAL DETECTOR SENSITIVITY 
MISMATCH 

We will now consider the case when the sensitivity 
curves are slightly shifted, i.e., the detectors can only be 
partially blinded. For analysis in this section, we shall 
choose an eavesdropping strategy that is not necessarily 
optimal, but could clearly be implemented today. Let us 
simply adopt the intercept-resend strategy as described 
in the previous section for that. 

Having chosen the strategy, let us consider all the pos- 
sible basis and bit combinations during the attack. If we 
look at the relative phase of the pulses that Eve gener- 
ates, we can note that, formally, she always chooses to 
resend to Bob the opposite bit value in the opposite basis 
compared to her detection. For example, if Eve detects a 
in the Z basis, she sends a 1 bit in the X basis to Bob. 
She also chooses the timing so as to suppress 1 detection, 
i.e., a timing t = to for which the ratio rii{t)/r/o{t) is 
small, where r?o(i) and rii(t) denote the time-dependent 
detector efficiencies. The different events are shown in 
Table |I] for the special case where Alice sends a in the 
Z basis (the other three cases are symmetrical to this 
case). Initially, we assume that all states involved in the 
protocol and the attack are single-photon states. Later 
we will discuss the case where Alice and Eve use states 
with other photon statistics, e.g., faint laser pulses. Also, 
for now it is assumed that Bob's detectors have no dark 
counts (which is of course not true but we account for 
that later on). We assume that Eve's detectors and op- 



TABLE L The intercept-resend attack when Alice sends a in 
the Z basis (as indicated in the first column) . The second col- 
umn contains the basis chosen by Eve and the measurement 
result; the third column shows the basis, bit, and timing as 
resent by Eve. In the next columns Bob's basis choice and 
measurement results are given. For the case with partial de- 
tector sensitivity mismatch, the probabilities for the different 
results are shown, given Eve's basis, bit value, and timing 
in addition to Bob's basis. Note that, for ease of discussion, 
the first two rows are repeated so that each row in the table 
occurs with probability 1/8. 
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tical alignment are perfect, and that Eve generates faked 
states that match the optical alignment in Bob's setup 
perfectly. Based on the probabilities in the table we can 
now estimate the efficiency figures for this strategy in 
terms of the QBER and the mutual information between 
Eve and Alice, and Bob and Alice. 

We discard all cases where Alice and Bob have chosen 
incompatible bases. When Alice sends a in the Z basis, 
the probability that the qubit arrives at Bob is 

P(arrive|A = ZO) = ^[vo{to) + Vo{ti) + 2m{to)]. (1) 

The probability of arrival averaged over Alice's four 
choices is found by symmetrization of this expression, 
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1, 



yielding 

P(amve) = ^[vo{to) + Svoih) + 3m{to) + Viih)]- (2) 

Similarly, we find the QBER 
P(error) 



(QBER) 



P( arrive) 



(3) 



Vo(to) + 3r?o(*i) + 3771 (io) + Viih 



where P(error) accounts for the cases when Bob detects 
a bit value different from what Alice has sent. 

Having established the QBER, we will now compare 
Bob's and Eve's amount of relevant information [l^. De- 
noting the mutual information between Alice and Bob 
H{A : B), and the mutual information between Alice 
and Eve H{A : E), the security is guaranteed when 
H{A : B) > H{A : E) This condition is sufficient 

and necessary for protocols with only one-way classical 
communications (no advantage distillation [l5| : with ad- 
vantage distillation it is not necessary). For intercept- 
resend attacks, it is clear that A ^ E ^ B is a. Markov 
chain. Hence, H{A : B) < H{A : E), so Bob's key is 
generally not secure. Note that advantage distillation is 
not possible because intercept-resend attacks remove any 
entanglement between Alice's and Bob's qubit. 

To analyze in more detail how this particular attack 
performs we will evaluate the mutual information be- 
tween Ahce and Eve H{A : E) = H{A) ~ H{A\E). After 
the basis has been revealed, A takes only two possible 
values (0 and 1) while Eve's result is ZO, Z\, XO, or X\. 
We assume that Alice and Bob have used the Z basis 
(by symmetry in the QKD protocol and the eavesdrop- 
ping strategy we need only consider this basis choice). 
The entropy H{A) is found from the probabilities P{A), 
which, in turn, can be calculated from the arrival proba- 
bilities (P) and ([2]): 

770(^0) +?7o(ii) +2771(^0) 



P{A = 1) = 1-P(A = 0). 



3771(^0) + 771(^1 



(4a) 
(4b) 

To identify the conditional entropy H{A\E), we need the 
conditional probabilities P{E\A), and also P{A\E) which 
can be found using Bayes' rule: 



m\E) = ^^P{E\A). 



(5) 



The conditional probabilities P{E\A) are calculated us- 



ing Table U 
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In the case A = 1 we find the conditional probabilities 
directly from ^ using the symmetry. The probabilities 
P{E) are found using the relation 



P(i?) = 5]P(i?|A = a)P(A = a), 



(7) 



and the conditional entropy is 

H{A\E) (8) 
= - ^ P{A = a)P{E = e\A = a) logP(A = a\E = e). 

e,a 

After substitution of the probabilities above, the result 
is simple: H{A\E) = (QBER), where the QBER is given 
by Eq. Hence, 

H{A : E) = H{A) - (QBER). (9) 

The mutual information between Alice and Bob, H{A : 
B) = H{A) — iJ(A|P), is found by a similar procedure. 
After the basis has been revealed A and also B take 
only two values (0 and 1). The conditional probabilities 
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In the special case with symmetric detector efficiency 
curves, i.e., 770(^0) = 771(^1) and 770(^1) = 771(^0), we find 
H{A : P) = 1 - /7(QBER) and H{A : E) = 1 - QBER, 
where h is the binary Shannon entropy function h{x) = 
— a;log2 X — {1 — x) log2(l — x). Thus all quantities, the 
QBER, H{A : P), and H{A : E), depend only on one 
parameter; the normalized efficiency 77 = 77i(to)/7yo(^o)- 
The result is plotted in Fig. [31 As mentioned previ- 
ously, it is apparent that Eve has always more mutual 
information with Alice than does Bob. For 77 = 1/3 the 
difference H{A : E) — H{A : B) reaches its maximum 
/i(l/3) - 1/3 w 0.58 for a corresponding QBER of 1/3. If 
Bob is not aware of his detector efficiency mismatch, he 
thinks that the key is secure when the QBER is less than 
0.11 (symmetric protocols with one-way classical commu- 
nications ^]). Thus Eve can compromise the security of 
the system if r? < 0.066. The privacy amplification [l^ 
Alice and Bob apply will not save them from this attack 
and will not produce a secret key because the mutual in- 
formation between Alice and Eve is always greater than 
that between Alice and Bob. 

In a real installation, Alice and Bob may expect the 
QBER to stay at some level below 0.11, which leaves 
Eve less room for the attack. Also in the practical sce- 
nario considered in this section, the contribution of dark 
counts in Bob's detectors to the total QBER is indepen- 
dent of other error sources and is beyond the control of 
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FIG. 3: The QBER, the mutual information between Ahce 
and Bob, H{A : B), and the mutual information between 
Alice and Eve, H{A: E), as functions of the normalized effi- 
ciency of the blinded detector, rj. 



possible. However, now Eve must consider the basis- 
dependent coincidence count rates at Bob's detectors. If 
we grant Eve a future technology, namely, the ability to 
do photon number measurement, she would be able to 
retain the coincidence rates: Eve could measure the pho- 
ton number first, and run the faked-states attack only 
on those pulses that contain one photon, using a single- 
photon source to generate faked states. Those of Alice's 
pulses that contain two or more photons can be passed 
undisturbed to Bob at the expense of a small part of the 
key becoming unavailable to Eve. Alternatively they can 
be eavesdropped on using the photon number splitting 
(PNS) attack [13, Hill, provided a version of the PNS 
attack that does not alter coincidence counts could be 
constructed in this case [20j . 

Watching the rates and coincidence statistics for differ- 
ent bit-basis combinations is useful as a general precau- 
tion and should be built into the key distribution proto- 
col. But it does not necessarily provide security against 
this attack. 



Eve. Only the part of QBER not caused by dark counts 
in Bob's detectors can be used by Eve. 

Let us consider any side effects this attack may produce 
that may divulge it. Although the attack may not give 
any alarm in terms of the QBER, it might be detected 
as a result of different measurement statistics at Bob's 
detector. From @ and (|10p and their analogs for the 
case where Bob used the X basis (incompatible basis), 
we observe that the measurement statistics has changed 
as a result of Eve's attack. However, the changes may be 
reduced or even eliminated by choosing suitable and 
ti. (For example, the bit rates are equal in the symmet- 
ric situation analyzed above.) Similar skews in statistics 
may be produced in the absence of Eve's attack by ran- 
dom drifts and optical misalignments during operation, 
and may lie within what Bob normally expects. 

So far we have assumed that Alice and Eve use single- 
photon states. Then Bob can detect the attack as a de- 
creased bit rate, because P(arrive) usually would be less 
than the detection probability Bob has with no attack. 
Any reasonably well implemented Bob would monitor the 
bit rate and raise alarm if it drops significantly. To com- 
pensate for the reduced detection probability, Eve could 
increase the brightness of her pulses (several photons in 
each pulse, and possibly different photon statistics for 
the io and ti pulses). However, this compensation might 
be possible to detect from the coincidence count rates 
at Bob's detectors. Alternatively, Eve could place her 
intercept unit and resend unit at two separate locations 
along the transmission line, thus winning the photons 
that would be lost in the line between these two loca- 
tions. In the limit we have to assume she would place 
the intercept unit near Alice and the resend unit near 
Bob, getting the whole amount of normal loss in the line 
to cover for the reduction in detection probability caused 
by her attack. 

If Alice uses faint laser pulses, the attack is still 



IV. SECURITY BOUND 

The intercept-resend attack described in the previous 
section is not necessarily the optimal attack. Alice and 
Bob want, of course, their protocol to be secure against 
any attack permitted by quantum mechanics. Note that 
Eve can exploit rapidly varying features in the detector 
sensitivity behavior even though she does not regenerate 
the pulses. She may perform a quantum nondemolition 
measurement of Bob's pulses to collapse them into much 
shorter ones, obtaining the associated timing informa- 
tion of the resulting pulse. As shown in the Appendix, 
this measurement will not disturb the degrees of freedom 
encoding Bob's qubit. 

The following discussion of security will be based on 
the proofs by Lo and Chau f?\ and Shor and Preskill 
Here, Eve is allowed to do collective attacks and perform 
arbitrary quantum operations on each block of data. Al- 
ice and Bob use only one-way classical communications 
in the QKD protocol. Note that higher bit error rates 
can be tolerated if they use two-way classical communi- 
cations [2l[ (advantage distillation). 

The critical point in the Lo-Chau and Shor-Prcskill 
proofs is to bound the so-called bit and phase error rates. 
In the entanglement purification protocol used in the 
proof, this corresponds to bounding the fidelity of the 
Bell pairs received by Alice and Bob, and therefore the 
mutual information Eve has with their measurement re- 
sults. In the QKD protocol, Alice and Bob measure the 
error rate by sampling a subset of the qubits randomly. 
Bob measures the qubits in two bases (chosen randomly 
for each qubit). The error rate as measured in the ran- 
dom sampling process is denoted the bit error rate; the 
error rate if Bob had chosen the opposite basis is denoted 
the phase error rate. In the case where Eve can control 
the detector efhciencies, we distinguish between the mea- 
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FIG. 4: Security state of a QKD system as a function of the 
normalized efficiency of the blinded detector ri and the mea- 
sured QBER. In the "Secure" zone, the required amount of 
privacy amplification is larger than without considering this 
attack, being determined by 5 given in Eq. (|14p . In order 
to make this plot, we have allowed for some simplifications. 
The border between "Not proven" and "Insecure" zones is 
drawn assuming the special case of symmetric detector effi- 
ciency curves discussed in Sec. III. The QBER for the "Inse- 
cure" zone is assumed to be without contribution from dark 
counts in Bob's detectors. 



sured bit error rate (QBER) and the actual bit error rate. 
The measured bit error rate (QBER) is the error rate as 
measured by Bob, while the actual bit error rate is the 
error rate that Bob would measure if his detectors were 
perfect. 

An analysis of several attacks where the eavesdropper 
has some information on the basis used by Bob is de- 
scribed by Gottesman et al. (llj . In the Trojan pony 
attack (Ref. [HI), the eavesdropper can control the effi- 
ciency of the detectors to create an asymmetry between 
the bit error rate (which is measured by Bob) and the 
phase error rate (which is not measured) . In the optimal 
case (as seen from Eve's viewpoint) all errors that Eve 
eliminates are bit errors. Note that, in this case, the bit 
error rate as measured by Bob is the actual bit error rate 
since Eve does not control the two detector efficiencies 
separately (as opposed to the situation analyzed in this 
paper). Bob's problem is rather that he cannot measure 
bit and phase errors on the same qubit. 

Now, consider the case relevant to the present paper, 
where Eve has no information on the basis used by Bob. 
Instead she can control the and 1 detector efficiencies 
separately, by appropriate timing of the qubits. Since 
Eve does not know Bob's basis, the actual bit and phase 
error rates will be equal. However, since Eve can force the 
efficiencies of the two detectors to be different, the mea- 
sured bit error rate will be different from the actual bit 
error rate. Therefore, Bob has to estimate the actual bit 
error rate from the measured bit error rate and a priori 
knowledge of Eve's power (that is, he must characterize 
his detector sensitivity curves). 



The available bit rate from the QKD after privacy am- 
plification is [Sj] 

i? = 1 - 2/i((5), (11) 

where 5 is the actual bit error rate and h is the bi- 
nary Shannon entropy function h{x) = — a;log2 x — (1 — 
x) log2(l — x). The actual bit error rate is related to the 
measured error rate and the detector efficiencies. The 
two detector efficiencies are denoted ryo {t) and rji it) , and 
at a certain time t, they may be different. For example, 
take ??o(0 > Vii^)- a worst-case scenario, Eve mini- 
mizes the measured bit error rate (QBER) for a given 6. 
Assuming a large number N of qubits, SN of them would 
be detected as errors if the detectors were perfect. For 
Bob's detectors, in the worst case this number is reduced 
to rii{t)6N provided Eve uses the timing t. At the same 
time, the number of qubits detected as correct bits is only 
reduced from (1 — 6)N to rio{t){l — S)N. The associated 
QBER becomes r]i{t)S/[rii{t)S + 'qo{t){l-6)]. Minimizing 
with respect to t, we obtain^ 

where 

77 = mm <^ mm — — - , mm — — V . 13) 

In other words, the estimate for S, 

_ (QBER) 

r;+ (1-7/) (QBER)' ^ ^ 

and not the QBER, should be used to determine the re- 
quired amount of privacy amplification. The QKD pro- 
tocol is secure provided 6 < 0.11 [0.11 is the zero of 
1 — 2h{6)], which means approximately that (QBER) < 
O.llr;. 

The bound above might be a little pessimistic: Eve 
needs at least a "partial" qubit measurement to decide 
which timing to use for the pulses going to Bob. This 
measurement must certainly be performed before Eve 
gets information on the basis used by Alice and Bob. The 
Shor-Preskill bound assumes that Eve may wait with her 
measurement until the basis choice is made public. 

The security findings that have been made in the paper 
are summarized in Fig. 31 

V. EXPERIMENTAL DATA 

In this section we present measured detector sensitiv- 
ity curves of two different single-photon detectors. Both 



^ Eve may certainly use several different t's for different qubits. 
However, since Y.iPi/J2iH > mini(pi/gi) for any positive pi 
and Qi, the minimum QBER is still given by the minimum of 
r,i{t)S/[vi{t)S + rio{t){l - 5)] and r,o{t)S/[rio{t)S + Tjiit^il - 5)] 
for all t. 
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devices under test were laboratory prototypes of detec- 
tors that were a part of or intended for use in quantum 
cryptography systems. 



A. Detector model 1 

The first detector we tested was a time-multiplexed 
detector, i.e., a single detector registering and 1 counts 
in different time slots. The light pulses corresponding 
to the and 1 bit values were combined into a single 
fiber (one of the pulses was delayed in an optical delay 
line), and fed to the detector. The detector was gated at 
double the pulse rate, with pulses coming in odd gates 
and 1 pulses coming in even gates. The model operated 
at 1310 nm and used a Soviet-made Gc APD (standard 
part number FD312L, developed by NPO Orion) cooled 
to 77 K. Gate pulses at the APD in this detector were 
made as narrow as practically possible, around 2 ns full 
width at half maximum (FWHM) . The laser pulse in the 
test was 100 ps wide (FWHM) and was actually the same 
pulse normally used by Alice: we simply employed the 
entire QKD setup described in Ref. [Ill to do the detector 
test, only changing the time delay of the laser pulse in 
order to measure the sensitivity curves. The measured 
curves are presented in Fig. [5l 

Since the same detector is used for and 1 detections, 
we would expect the shapes of sensitivity curves to be 
highly identical. This is indeed the case. Also the curves 
have almost no time shift relative to one another, which 
means the fiber optic delay line in our setup was cut 
and spliced with good precision (from these data we can 
estimate the cutting inaccuracy to be less than ±25 ps 
or ±5 mm). Nevertheless the time range (encircled on 
the chart) where the laser pulse impinges the APD at 
the closing edge of the gate shows sensitivity mismatch 
77 « 1/2. It is possible the mismatch is actually larger 
than this, but we could not resolve it unless we used nar- 
rower laser pulses and did a more detailed measurement 
in this time range. The other side of the peak where the 
laser pulse impinges the APD before and at the open- 
ing edge of the gate shows no discernible sensitivity mis- 
match, because the APD sensitivity in this time range 
rises smoothly. This is consistent with the presence of a 
trailing tail in a typical APD time response [H, . 

The measured curves suggest that the practical attack 
described in Sec. Ill would be impossible, but the general 
security bound (fTH) would impose a significant penalty 
on the key rate and maximum allowed QBER. It is also 
clear that a better measurement with narrower laser pulse 
(no wider than few tens of picoseconds), smaller time 
increments, and extended time range would generally be 
desired for detector testing. 

The precision with which the fiber delay line was cut in 
this setup was actually unnecessary for normal operation 
of the QKD. Should less care be taken in cutting the delay 
line, there would typically be larger mismatch at both 
sides of the curve. In the worst possible case one of the 




t(ns) 

FIG. 5: Detector model 1. Sensitivity curves for the (open 
squares) and 1 (filled squares) time slots, at low mean number 
of photons at the APD (/i <C 1). Dark counts were subtracted. 
The curves, originally of different height, were scaled so that 
their peak points coincide, t is the relative time of arrival 
of the laser pulse at the APD; t = was the actual arrival 
time of Alice's pulse in the operational QKD setup before this 
measurement. 



curves could end up shifted to the left by 1.1 ns, providing 
the same sensitivity for Alice's pulse as we have now while 
leaving sufficiently large mismatch at the sides for Eve to 
attempt the practical attack described in Sec. III. 



B. Detector model 2 

The second detector we tested was a dual detector, 
consisting of two identical single-photon detectors regis- 
tering and 1 counts in parallel. This detector was one of 
the several different test prototypes developed at the Ra- 
diophysics Department at the St. Petersburg State Poly- 
technic University. Each of the two detector channels had 
its own APD, gating, and detection electronics, while 
the thermoelectric cooler for the APDs, power supply, 
and external synchronization were shared. JDS Uniphase 
EPM239BA (former Epitaxx EPM239BA) single-mode 
fiber pigtailed APDs were used, cooled to « —48 °C. 
The APDs were gated at 100 kHz, with gate pulses hav- 
ing magnitude of 8 V and width of 3.5 ns (FWHM). The 
laser pulse in the test had wavelength of 1560 nm and 
was less than 200 ps wide (FWHM). The detector was 
set into a mode that would be suitable for its operation 
in a QKD system. The peak efficiencies in both channels 
were made to be roughly equal, by adjusting the bias volt- 
age separately on each APD. The laser pulses impinged 
both APDs almost simultaneously; the remaining small 
difference in the optical paths, 9 mm or 45 ps between 
the channels, was later accounted for when plotting the 
charts so they represent the response to a laser pulse im- 
pinging both APDs at exactly the same time. 

With this detector, we tried to do a more thorough 
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t(ns) 

FIG. 6: Detector model 2. Sensitivity curves for the (open 
squares) and 1 (fiUed squares) time slots, at mean number of 
photons at the APD /i = 0.5. Dark counts were subtracted. 



measurement than with the previous one. The sensitiv- 
ity curves are shown in Fig.[6l Although the curves over- 
lap in a 1.6-ns-wide zone (well enough for use in QKD), 
there are significant mismatches at the sides. Using the 
time ti marked on the chart, and a to where both detec- 
tor efficiencies are small, Eq. ([3]) gives QBER « 0.061. 
This may give an impression that the attack described in 
Sec. Ill is possible. However, any properly implemented 
Bob would raise an alarm if the and 1 detection rates 
were significantly different. To achieve more similar de- 
tection rates. Eve can increase the brightness of her to 
pulses and/or tune to- In the limit where the two de- 
tection rates are equal, she chooses the to as marked on 
the chart to obtain the minimum QBER of 0.119. This 
means that the attack would be discovered (however, it 
is close to the threshold). Nevertheless, the QKD sys- 
tem with this detector will be rendered inoperative by 
the general security bound (fT4| . which for 77 = 1/30 al- 
lows a QBER of no more than 0.0036. Note that shifting 
the curves relative to one another never eliminates large 
sensitivity mismatch. 

In the measurement above, we could not see the quan- 
tum efficiency in the long tails, because it was masked 
by dark counts. It was therefore natural to repeat the 
measurement using three orders of magnitude brighter 
pulses. The expected result is complete saturation in 
the middle, and elevated, well-resolved tails. The re- 
sult we obtained, however, was quite surprising (Fig. [7]). 
Although the measurement did resolve the tails (show- 
ing a significant mismatch around 1 ns), the detector 
performance in the middle part of the chart was erratic, 
with sensitivity plunging to zero where there should have 
been saturation. Using this behavior of the detector. Eve 
could likely run the attack in conditions close to the total 
sensitivity mismatch described in Sec. II. 

Forced to explain this detector behavior, we turned to 
the schematic of its electronics. The feature of this par- 
ticular test prototype was that it used signal reflected 




t(ns) 

FIG. 7: Detector model 2. Sensitivity curves for the (open 
squares) and 1 (filled squares) time slots, at mean number of 
photons at the APD fi = 500. In the encircled time range 
(4.65-5.30 ns) the clicking probability in both detectors mea- 
sured exactly zero (0 counts registered per > 10^ gates). Un- 
fortunately the time reference in this plot is not accurately 
matched with that in Fig. [S] and the curves' features cannot 
be directly compared between the two figures. 



+Vbias 




= = ^ Detector 

I output 

FIG. 8: Detector model 2. Equivalent diagram of a single 
channel. G is a single-shot generator that forms the gate pulse 
for the APD. BPF is an equivalent band-pass filter represent- 
ing the frequency bandwidth of the tract for the refiected 
signal. 



from the APD, so that only one electrical waveguide had 
to be connected to each APD, thus reducing the thermal 
flow and easing cooling (Fig. [8]). To split off the reflected 
signal, a microstrip coupler was used, forming a circulator 
at frequencies above 1 GHz. The following amplifier had 
the bandwidth of ca. 2.5 GHz. Thus the whole tract for 
the reflected signal suppressed spectral components out- 
side the 1-2.5 GHz band. There was no balancing circuit 
for spikes in the reflected signal that resulted from the 
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gate front and back edges causing current through the 
APD capacitance, and also the spikes seeping into the 
reflected signal tract through other electrical imperfec- 
tions. These unwanted spikes were partially suppressed 
spectrally: most of the spectrum of the spikes lay below 
1 GHz, as the front and back edges of the gate pulse were 
less steep than the front edge of the avalanche signal. The 
comparator threshold was fine tuned to be lower than the 
avalanche signal, but higher than the parasitic signal at 
the output of the tract in the absence of avalanche. This 
all worked fine for avalanches caused by absorption of 1-2 
photons, as Fig. [5] illustrated. However, with avalanches 
caused by almost simultaneous absorption of hundreds 
of photons from every laser pulse, this spectral-selective 
circuit connected to a finely tuned comparator produced 
the gaps seen in Fig. [T] The use of a spectral-selective 
circuit was a necessary condition for this abnormal be- 
havior. The spectrum of the avalanche pulse was a func- 
tion of two varying parameters: the pulse length and the 
shape of its front edge. The fraction of the avalanche 
pulse that passed through the spectral-selective tract to 
the comparator thus depended on these two parameters. 
Small changes in them due to the use of brighter light 
pulses resulted in the observed behavior of the output 
signal. Exact details of APD operation with brighter 
pulses, however, proved to be elusive to measure with 
the equipment we had. 

Although we were able to eliminate the abnormal de- 
tector behavior with fi ~ 500 laser pulses by making ad- 
justments in the electronics, this test prototype together 
with the idea of using reflected signal and/or spectral- 
selective detection tract had to be scrapped. It is simply 
too risky from the security standpoint to use detectors 
based on this or any other "advanced" approach in QKD 
systems, even if you test them well. More straightforward 
detection schemes have to be preferred. 



VI. DISCUSSION AND CONCLUSION 

We have seen that when the detection of and 1 bits 
can be blinded separately by timing. Eve can obtain full 
information about the key while she is hidden. In the 
case with only partial sensitivity mismatch, a similar at- 
tack is possible which will not provide alarm to Alice 
and Bob in terms of the QBER when the mismatch is 
sufficiently large. Although the specific intcrcept-resend 
attack given in Sec. HI only works in certain conditions, 
more sophisticated attacks may exist which are able to 
exploit small sensitivity mismatches. Hence, to ensure 
secure QKD it is crucial to characterize Bob's detectors 
and specify maximum sensitivity mismatch. Based on 
this information, the worst-case estimate for S given in 
(fn)l . and not the QBER, should be used to determine 
the required amount of privacy amplification. 

Specific measures aimed to specify and/or limit the 
sensitivity mismatch might be the following. 

(1) Measure detector characteristics (especially sensi- 



tivity vs time) over a variety of input signals, including 
those well beyond the normal operating range. Use suffi- 
ciently short pulses so that all features of the sensitivity 
curves are captured. Employing a simple, straightfor- 
ward detector circuitry can help lower the likelihood of 
hidden surprises, both discovered and undiscovered by 
testing. 

(2) Introduce intentional random jitter in the detec- 
tor synchronization to "smear" the curves and lower the 
mismatch. 

(3) Implement active protection by checking timing of 
incoming pulses at Bob. This can be done through ran- 
dom shifting of Bob's detection time window, by regis- 
tering the time of avalanche onset within the window, or 
with additional detectors. 

In the future it would be desirable to see if the gen- 
eral security bound, as implied by (jl4p . can be narrowed. 
The security bound as it stays now is rather strict, and 
requires the amount of privacy amplification to be cor- 
rected in most practical quantum cryptosystems that use 
four-state protocols. 

Not all QKD protocols are vulnerable to this at- 
tack. For example, the Bennett 1992 (B92) protocol 
m, [23, HI] is not affected, because it uses just one de- 
tector for quantum states (however. Bob should be care- 
ful not to allow Eve to make a "faked" reference pulse 
which is accepted by Bob's classical detector but causes 
no clicks at his single-photon detector; using a local os- 
cillator as proposed in Ref. [1^ is a good solution to this 
problem; insecure implementations of B92 that do not 
use homodyne measurement have to be avoided 123. ISOl ) . 
The modification of the BB84 protocol in Refs. [3ll. |33|. 
with a single detector randomly chosen via phase modu- 
lator setting to detect either a or 1 bit, is not vulnerable 
for the same reason.^ The six-state protocol [s^, [3^ \^ 
seems not to be vulnerable (though we note that a faked- 
states attack along the lines of Sec. II on the six-state 
protocol gives 25% QBER in the case of total efficiency 
mismatch, while the straight intercept-resend attack re- 
sults in 33.3% QBER). 

On the other hand, the SARG04 protocol [H H [s^l 
is vulnerable to this attack. Also, faked states exploit- 
ing detector efficiency mismatch can be constructed for 
energy-time encoding and differential phase shift keying 
QKD schemes HH, lH, El, Hliil ; see examples of faked 



^ Although the B92 protocol and the modification of the BB84 
protocol in Refs. [3lll32l| are not affected by the attack described 
in the present paper, they are instead vulnerable to another at- 
tack. These protocols apply the key bit values directly at Bob's 
phase modulator, encoded in the phase shift settings. This makes 
them vulnerable to the large-pulse attack [33l |3J|- The phase 
shift settings could be read by Eve from Bob's modulator using 
external light pulses which do not have to be very bright. The 
Scarani-Acin-Ribordy-Gisin 2004 {SARG04) protocol 0,[3l|33l 
also applies the key bit values at Bob's modulator. Other proto- 
cols only apply detection bases at Bob's modulator, which makes 
them less vulnerable to the large-pulse attack. 
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states in Ref. 0. 

Implementations with a source of entangled pairs 
placed outside of Alice and Bob (as opposed to using 
it inside Alice to prepare the states) give Eve additional 
degrees of freedom to run this attack. When photons 
travel from Alice to Bob, Eve can completely block only 
one of Bob's bases (one detector is blocked by timing 
and the other by destructive interference in this basis). 
This allows to eavesdrop on the protocols that use two 
bases (BB84, SARG04), but not on the protocols that 
use three bases (six-state protocol, Ekert protocol ^2] if 
it is implemented with an entangled pair source inside 
Alice). However when photons travel from the entangled 
pair source to Alice and Bob with both paths accessible 
to Eve, she can replace the entangled pair source with 
a faked one, generating two faked states synchronously: 
one for Alice and one for Bob. She can generate a pair 
of faked states that block completely one basis at Alice 
and another basis at Bob. Then Alice and Bob only get 
coincidence clicks in the same basis when they choose the 
third basis in the protocol. This allows to eavesdrop on 
the six-state protocol [38„ ^39,] if it is implemented in an 
entangled pair version, with the source of entangled pairs 
placed between Alice and Bob. Also a set of faked states 
can be constructed for the Ekert protocol (at least if it is 
implemented as described in Ref. with no additional 
consistency checks besides checking that S = —2^/2 46]). 

Throughout the paper, Eve used time i as a control 
parameter to alter detector efficiencies. We note that t 
could in principle be regarded as a general control param- 
eter allowing Eve to change Bob's detector efficiencies. 
It could be not necessarily time but, e.g., polarization or 
wavelength. For instance, in up-conversion single-photon 
detectors \A7i, i48„ i4£] hardware gating of detectors is re- 
moved, but a narrow wavelength selectivity is introduced 
instead. Eve could try to use the wavelength of pulses 
instead of time to run this attack. 

Finally we note that Qi et al. have recently proposed 
an interesting modification of our attack ^5(?|. 



APPENDIX: QUANTUM NONDEMOLITION 
MEASUREMENT OF QUBIT TIMING 

Here we will show that Eve can perform quantum non- 
demolition measurements of the timing of the qubits, 
and collapse Alice's photon pulses into arbitrarily nar- 
row pulses. This measurement does not affect the de- 
grees of freedom encoding the qubit. While (time-bin) 
phase-encoded qubits are considered here, one may treat 
other encodings in a similar way. 

The phase-encoded qubit is denoted \^)to- Here, ip 
is the phase difference between the two pulses (0°, 90°, 
180°, or 270°), and to is the (absolute) timing of the 
pulses, i.e., the time of the peak of the first pulse. If 



we assume that \ip)to is a single-photon state,^ it can be 
expressed as 

|^),„ = i=(4„+e^%V,)|0), (A.l) 

where |0) is the vacuum state of the single optical mode, 
T is the time delay between the two pulses, and 

al= J dt at,to)aHt). (A.2) 

In Eq. (IA.2I) . {t) is the continuous- time creation op- 
erator [5l| of the optical mode. The operator satisfies 
the commutator relation [a{t),a^ {t')] = 6{t — t'). The 
function ^(t, io) represents, for instance, a Gaussian pulse 
shape: 

e(i, to) = (2AV7r)^/^ exp [ - iwo{t - to) - ^\t - tof] . 

(A.3) 

Here loq and A are the central frequency and pulse band- 
width, respectively. The duration iA of the pulse is of 
the order 1/A, and satisfies tA ^ t. 

If Eve wants to measure the timing of a qubit pulse 
pair, she should do a nondemolition measurement that 
does not affect the degrees of freedom encoding the qubit. 
She divides the pulse time range [to — t^/2, to + tA/2] into 
small intervals Ti = [to-^A/S-l-iAt, io-tA/2-l-(i-l-l)At], 
where z is a positive integer and At is her time resolution. 
[We assume that she has rough estimates of to and tA 
a priori^ with precision better than (of the order of) tA- 
Moreover, she knows r with precision better than At.] 
The non-demolition measurement is described formally 
by the projectors 

P{Ti)= [ dt[a\t)\0){0\a{t) + a^t + T)\0){0\ait + T)]. 

(A.4) 

Note that P{Ti)P{Tj) = 5ijP{T,) and Y.^P{T^) = 1 in 
the Hilbert space spanned by the signal states (jA.ip . so 
this is a valid quantum mechanical projective measure- 
ment [13] ■ Moreover, when the projectors P{Ti) act on 
the state (|A.1[) the pulse width of each of the two pulses 
collapses to a smaller pulse width At; however the qubit 
encoding is not affected. In other words. Eve compresses 
the pulses and obtains the timing information i. 

One way to implement this measurement is first to 
switch the two pulses into two optical modes a and 
b. The first pulse is then delayed by r so that the 
two pulses arrive at the measuring device simultane- 
ously. The signal state (jA.ip can now be expressed as 
1^) ^ ^{a^ + e'^6t) |00) = -i= {\10) + e'^jOl)), omit- 
ting the time notation for simplicity. Now, Eve lets a 
probe (a simple quantum computer) interact unitarily 
with the signal state, described as follows: 100) ]0) 



^ Coherent pulses can be treated along the same lines. 



11 



|00)|0), |01)|0) ^ |01)|1), |10)|0) ^ |10)|1). Here the 
last state in the product denotes that of the probe. Since 
|00)|0)^ |00)|0) and|(p)|0) ^ |<p)|l), Eve will detect the 
presence of the qubit without disturbing it. Moreover, 



if her measurement device is sufficiently fast, she is able 
to obtain the timing (and the pulses will collapse into 
shorter ones). 
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